| With the continuous development of network attack methods,the bootable malicious program with remote control function is a representative type of malicious program.The attacker can complete the implantation of malicious programs during the startup phase of the operating system.Its enormous destructive power has brought serious threats to computer security.At present,most security detection software runs on the application layer and cooperates with the kernel layer driver to defend against malicious programs.There is no effective defense against malicious code before the operating system starts.At the same time,due to the particularity and diversity of operating system guidance,it is relatively difficult to detect this type of malicious code.Therefore,the detection of this type of malicious program requires in-depth study of the technology.In this thesis,we first study the two types of boot mode: the basic BIOS(Basic Input Output System)and the new UEFI(Unified Extensible Firmware Interface).After a detailed example analysis,we analysis the hijacking method in the traditional BIOS boot mode and the utilization method in the new UEFI boot model.Through a detailed example analysis,we summarized the principle of attack on the two boot modes.The method of hijacking BIOS is mainly through modifying the main boot sector of the disk and through a series of hooking processes to achieve the hijacking system process.The method of hijacking UEFI is to hook the UEFI shell.The routine we write will obtain control again when the system kernel invokes the UEFI shell service.Then based on the results of the above example analysis,this thesis makes an indepth analysis of the source code of GRUB4DOS(the traditional BIOS booting framework)and GRUB2(new UEFI booting framework).And then we designed and implemented a start-up remote control system.The basic idea of the system is to write a custom boot module to hijack the boot of operation system and release the function module before the operation system starts.Then it encrypts the local data and uploads it to the server through the network.This approach can precede the start of security software and can effectively bypass security software detection.This thesis finally achieved a system prototype based on GRUB4 DOS and GRUB2.We conducted detailed experimental analysis of the system prototype.The experimental results show that the system can be compatible with the traditional BIOS boot mode and the new UEFI boot mode,and can effectively avoid the detection of security software.Finally,this thesis compares the current detection technology and summarizes the deficiencies in the detection technology.Then this thesis proposes two different defense strategies.One is an active defense strategy based on the trusted platform and the other is a passive detection method by grasping the characteristics of malicious code to match. |
PDF Full Text Request